fix(security): run as non-root user in container

2022-12-01 14:36:27 +01:00 · 2022-12-01 14:36:27 +01:00 · 6832843f00
commit 6832843f00
parent 70794ad61a
3 changed files with 26 additions and 8 deletions
--- a/24
+++ b/24
@ -5,11 +5,25 @@

 FROM python:3

-# Install dependencies
+# Create non-root user
+ARG LUMI2_UID
+ARG LUMI2_GID
+ENV LUMI2_USERNAME=lumi2
+ENV LUMI2_GROUPNAME=lumi2
+RUN groupadd --gid ${LUMI2_GID:-1000} ${LUMI2_GROUPNAME} && \
+    useradd --uid ${LUMI2_UID:-1000} --gid ${LUMI2_GID:-1000} --no-create-home --shell /bin/bash ${LUMI2_USERNAME} && \
+    mkdir /app && chown ${LUMI2_UID:-1000}:${LUMI2_GID:-1000} /app
+
+# Copy source files
 WORKDIR /app
-COPY requirements.txt /app/
-COPY lumi2 /app/lumi2/
-COPY tests /app/tests/
-COPY pytest.ini /app/
+COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} requirements.txt /app/
+COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} lumi2 /app/lumi2/
+COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} tests /app/tests/
+COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} pytest.ini /app/
+
+# Install dependencies
 RUN pip install -r requirements.txt
+
+# Launch WSGI server
+USER ${LUMI2_UID:-1000}:${LUMI2_GID:-1000}
 ENTRYPOINT ["waitress-serve", "--listen=0.0.0.0:80", "--no-ipv6", "--call", "lumi2:create_app"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -4,12 +4,16 @@ version: "3"

 services:
  lumi2:
-    build: .
    container_name: lumi2
+    build:
+      context: .
+      args:
+        LUMI2_UID: 1000
+        LUMI2_GID: 1000
    volumes:
      - ./config.py/:/app/config.py:ro
    environment:
-      - LUMI_CONFIG=/app/config.py
+      - LUMI2_CONFIG=/app/config.py
    ports:
      - "8000:80"
    depends_on:
--- a/lumi2/init.py
+++ b/lumi2/init.py
@ -20,7 +20,7 @@ def create_app(test_config=None):

    if test_config is None:
        # Load the instance config, if it exists, when not testing
-        app.config.from_envvar('LUMI_CONFIG', silent=True)
+        app.config.from_envvar('LUMI2_CONFIG', silent=True)
    else:
        # Load the test config if passed in
        app.config.from_mapping(test_config)